January 31, 2025
Google Login Vulnerability Could Expose Millions of Users’ Data

When a startup fails, founders work hard to salvage as many assets and funds as possible. This is why closing down SaaS service accounts is rarely on their list of priorities. However, a recent Google login vulnerability discovered by an ethical hacking company shows how dangerous this can be.
Hackers are looking for failed startup domain names and purchase them for nefarious purposes. Once they control these domains, the malicious actors can create email accounts and use them to bypass SaaS security systems.
All they need to do is click on the “Sign-in with Google” option to access the still active accounts of the failed startups.
How Does This Vulnerability Impact Data Protection?
Sign-in with Google is one of the most convenient ways of logging in to various accounts. But, by its nature, this OAuth feature effectively bypasses all technical safeguards.
Thus, the hackers controlling the domain names of shuttered companies can access all the data stored by the company on various online platforms, such as:
- ChatGPT
- Zoom
- Slack
- Cloud storage facilities.
Most of these failed startups used to store sensitive data on these platforms, including their employees’ private information.
A Demonstration of the Dangers of the Google OAuth Flaw
The ethical hacking company presented their findings to Google, without receiving an answer. Thus, they used a cybersecurity convention as the platform to raise the alarm on the Google login vulnerability.
The co-founder and CEO of the company demonstrated how buying an old company domain name offered him access to an HR software suite. There, he could access all the critical personal data belonging to former employees: names, addresses and national ID numbers.
These are all the details a hacker needs to commit identity theft.
Google’s Response to the SaaS Security Vulnerability
After the demonstration, Google acknowledged the flaw and even awarded the ethical hacking company for discovering it. However, a spokesperson for the company said that Google does not plan to pursue a fix.
Instead, they recommend customers close down all their domains and accounts properly when they shut down their company. Also, all SaaS service providers should follow the best practices in data protection and business security.
How to Prevent Personal Data Theft through the Google Login Vulnerability
As an employee leaving a company when it shuts down, you have the right to request your personal data to be deleted from everywhere – except for official employment documents. Although it is a difficult time for everyone involved, tell your employer to do so.
As a business owner, you have a responsibility towards your employees, even though your company failed. They did their best to help you succeed. The least you can do for them is make sure that hackers cannot obtain their data.
Thus, remember to close down all your company’s online accounts as part of the closing down process. And when you are ready, make a fresh start in business with CyberFlow as your cybersecurity partner.
About Us
If you are interested on apply more security to your business contact us
Recent Post
-
Major WordPress Security Breach: Over 10,000 Websites Show Fake Update Banner
-
Google Login Vulnerability Could Expose Millions of Users’ Data
-
Fake Google Calendar Invites – How to Spot and Avoid Phishing Scams
-
Cybersecurity Risks During the Holidays and How to Combat Them
-
Protect Yourself: How to Avoid QR Code Scams and Stay Safe Online
-
The Step-by-Step Process Ethical Hackers Use to Check a Business’s Cybersecurity
-
Understanding Cookies: Enhancing Your Business's Cybersecurity with CyberFlow